Subdomain Takeover: Starbucks points to Azure

This post is the write-up about bug bounty report that I reported back in March 2018 to Starbucks. The report is now disclosed, and I was awarded $2,000 bounty. Although I have written about subdomain takeover in multipleposts, this case was somehow different.

The domain in question was svcgatewayus.starbucks.com. The domain pointed to a non-existing resource in Microsoft Azure. I realized that I have never talked about Microsoft Azure as a potential vector for subdomain takeover.

The most significant difference compared to CloudFront and other similar services are, that Azure provides dedicated IP address to both of these services. The provided subdomain that points to it using A record. In other words, Azure doesn't utilize virtual hosts setup (as I described previously). This means that for potential subdomain takeover, you only need to look for DNS status being NXDOMAIN.

There are lots of misconceptions about when the subdomain takeover for Azure is possible. I recommend running a simple dig command:

dig -t A DOMAIN_TO_CHECK

Is the response status NXDOMAIN? If yes, great, the takeover might be possible. Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all! As I said before, the services have dedicated VPS. For successful subdomain takeover, DNS request should always return NXDOMAIN.

The subdomain in the report pointed to 1fd05821-7501-40de-9e44-17235e7ab48b.cloudapp.net. I needed to create a PoC which was a little bit tricky. The rough guideline of how I did it follows:

Created a new Cloud Service in the portal. It asks for a custom domain name. Remember: This domain name needs to match since you are not dealing with virtual host anymore. You can confirm this theory by noticing that Cloud Service never asks for a domain name which you will use for CNAME.

Created a Storage Account for the Cloud Service in the Azure portal.

Azure requires a specific format for deployment of Cloud Services which is generated by Visual Studio. I created a simple ASP.NET web application and uploaded it to this Cloud Service using this tutorial.

Because of DNS, the A record for svcgatewayus.starbucks.com is pointing to Azure, and so the HTTP request returns the content from the ASP.NET application I just deployed.

For Azure Websites, the process is much more straightforward and looks closer to traditional PaaS. To create PoC for Azure Websites, I recommend the following this tutorial. I tested that, and it works correctly.

I have to say that I find the Azure portal very messy. IMHO it is a lot more complex than AWS with no significant benefits.

Azure offers several other services with a different structure, subdomains, and PoC process that I will cover in one of the future posts. Follow me on Twitter to get it first.